Description: Seems LibreOffice can make a magical use of "protected" signing X.509 certificates in Windows certificate store. It can sign PDF documents without knowing the actually necessary signing password. I'm not even sure if this is a LO bug. Probably it is a Windows bug. Steps to Reproduce: 1. Create a Writer document 2. Export the document to PDF with applying a digital signature (X.509) 3. Let the certificate password field be empty. 4. Export the PDF and enjoy a signed document. Actual Results: The document is signed without asking for a permission to use the X.509 certificate, although the certificate was imported into the Windows certificate store as "ask for permission with a password". Expected Results: LibreOffice should not be able to sign the document until the certificate password is filled in the field. Reproducible: Always User Profile Reset: No Additional Info: Version: 7.1.8.1 (x86) / LibreOffice Community Build ID: e1f30c802c3269a1d052614453f260e49458c82c CPU threads: 2; OS: Windows 10.0 Build 19043; UI render: Skia/Raster; VCL: win Locale: de-DE (de_DE); UI: de-DE Calc: CL A previous version, LibreOffice 6.3.6.2 (x64) shows the same behaviour. Respectively ability. :D The PDF viewer says the signature is valid. As said, I cannot understand why Windows allows the use of the certificate without a password in this case. Other software must know a password to sign with this certificate.
7.1.8.1 (x86) because it is LO portable version at the moment.
Today I tried to delete the certificate in the Windows Certificate Store and re-installed it with a different password for permission, just to find out if LibreOffice had saved the first password sometimes before. But no difference, LO uses the certificate without asking for a password.
Thank you for the report. Could you please test again with an updated version of LibreOffice, preferably 7.5?
I can use the MS Office certificate to sign but it's recognised as invalid. Don't have other MS certificates so cannot test. Signing a document with a password protected GPG certificate brings up the Kleopatra password dialog.
Dear Stephan, This bug has been in NEEDINFO status with no change for at least 6 months. Please provide the requested information as soon as possible and mark the bug as UNCONFIRMED. Due to regular bug tracker maintenance, if the bug is still in NEEDINFO status with no change in 30 days the QA team will close the bug as INSUFFICIENTDATA due to lack of needed information. For more information about our NEEDINFO policy please read the wiki located here: https://wiki.documentfoundation.org/QA/Bugzilla/Fields/Status/NEEDINFO If you have already provided the requested information, please mark the bug as UNCONFIRMED so that the QA team knows that the bug is ready to be confirmed. Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-NeedInfo-Ping
Dear Stephan, Please read this message in its entirety before proceeding. Your bug report is being closed as INSUFFICIENTDATA due to inactivity and a lack of information which is needed in order to accurately reproduce and confirm the problem. We encourage you to retest your bug against the latest release. If the issue is still present in the latest stable release, we need the following information (please ignore any that you've already provided): a) Provide details of your system including your operating system and the latest version of LibreOffice that you have confirmed the bug to be present b) Provide easy to reproduce steps – the simpler the better c) Provide any test case(s) which will help us confirm the problem d) Provide screenshots of the problem if you think it might help e) Read all comments and provide any requested information Once all of this is done, please set the bug back to UNCONFIRMED and we will attempt to reproduce the issue. Please do not: a) respond via email b) update the version field in the bug or any of the other details on the top section of our bug tracker Warm Regards, QA Team MassPing-NeedInfo-FollowUp